CVE-2026-10560
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
IBM Langflow OSS versions 1.0.0 through 1.9.6 contain a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints, allowing an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial of service.
Risk Assessment
The risk for the organization includes potential exposure of sensitive build-related data and the ability to disrupt system operations by canceling jobs, which may impact business continuity.
Recommendation
It is recommended to immediately upgrade IBM Langflow OSS to version 1.9.7 or later, which fixes this vulnerability, and to enforce authentication for all API endpoints.
Original NVD description (English source)
IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial of service.

